3.1 Guidelines on Using the Connector

3.1.1 Guidelines on Configuring Reconciliation

The following are guidelines that you must apply while configuring reconciliation:

Before a target resource reconciliation run is performed, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before user reconciliation runs.

If you are using Oracle Identity Manager release 11.1.2 or later, then before you perform a reconciliation run, create an application instance.

The scheduled job for user reconciliation must be run before the scheduled job for reconciliation of deleted user data.

In the identity reconciliation mode, if you want to configure group reconciliation, then note that group reconciliation does not cover reconciliation of updates to existing groups on the target system. If you modify the name of a group on the target system, then it is reconciled as a new group in Oracle Identity Manager.

In the identity reconciliation mode, if you want to configure organization reconciliation, then note that:

Organization reconciliation does not cover reconciliation of updates to existing organization names on the target system. If you modify the name of an organization on the target system, then it is reconciled as a new organization in Oracle Identity Manager.

Organization reconciliation events created by the scheduled job for organization reconciliation (Active Directory Organization Recon) must be successfully processed before the scheduled job for trusted source reconciliation (Active Directory User Trusted Recon) is run. In other words, organization reconciliation must be run and the organization records reconciled from the target system must be successfully linked in Oracle Identity Manager.

On the target system, users are created in specific organizations. During trusted source reconciliation of user data, if you want OIM Users to be created in the same organizations on Oracle Identity Manager, then you must set the MaintainHierarchy attribute of the trusted source reconciliation scheduled task to yes. In addition, you must configure organization reconciliation to run before trusted source reconciliation.

In Oracle Identity Manager, the organization namespace is a flat namespace although it allows parent-child hierarchical relationships between organizations. Therefore, two Microsoft Active Directory OUs with the same name cannot be created in Oracle Identity Manager, even if they have different parent OUs on the target system.

The name of an organization in Oracle Identity Manager cannot contain special characters, such as the equal sign (=) and comma (,). However, these special characters can be used in the name of an organization on the target system.

The synchronization of organization lookup fields is independent of whether or not you configure organization reconciliation.

If you are going to configure Microsoft AD LDS as the trusted source, then you must ensure that a value (either true or false) is set for the msDS-UserAccountDisabled field of each user record on the target system. In Microsoft ADAM, the msDS-UserAccountDisabled field does not have a default value.

The Filter attribute must contain only attributes that are present in the Decode column of the lookup definition that holds reconciliation attribute mapping.

If you are going to run the scheduled job for reconciliation of deleted user records, then ensure that you set the value of the Container parameter of the IT resource to the root. This ensures that all accounts are fetched to Oracle Identity Manager. User records that are not fetched in to Oracle Identity Manager are assumed to have been deleted.

3.1.2 Guidelines on Performing Provisioning Operations

The following are guidelines that you must apply while performing provisioning operations:

Before you perform provisioning operations, lookup definitions must be synchronized with the lookup fields of the target system. In other words, scheduled tasks for lookup field synchronization must be run before provisioning operations.

When both Microsoft Active Directory User Management and Microsoft Exchange connectors are deployed in your environment, do not specify a value for the Redirection Mail Id field.

If you specify a value for the Redirection Mail Id field during a user provisioning operation, then a corresponding mail user account is created in Microsoft Exchange. When an Exchange mail user account is created through Active Directory, then some of the fields of an Exchange mail user account such as Maximum Receive Size cannot be updated. This also means that the Microsoft Exchange Connector cannot be used for further provisioning operations of this user. This is because the user is already created in Microsoft Exchange as a Mailuser.

Note that the Microsoft Exchange connector cannot be used to convert Mailuser, mail user accounts created in the manner described in the preceding paragraph, to Mailbox as this is not allowed by the target. Therefore, it is recommended not to specify a value for the Redirection Mail Id field if both Microsoft Active Directory and Microsoft Exchange connector are deployed.

Passwords for user accounts provisioned from Oracle Identity Manager must adhere to the password policy set in Microsoft Active Directory.

Note:

If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

In Microsoft Active Directory, password policies are controlled through password complexity rules. These complexity rules are enforced when passwords are changed or created. While changing the password of a Microsoft Active Directory account by performing a provisioning operation on Oracle Identity Manager, you must ensure that the new password adheres to the password policies on the target system.

See Also:

For more information about password guidelines applicable on the target system, visit the Microsoft TechNet Web site at

Some Asian languages use multibyte character sets. If the character limit for fields on the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this point:

Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you have configured the target system for the Japanese language, then you would not be able to enter more than 25 characters in the same field.

The character length of target system fields must be taken into account when specifying values for the corresponding Oracle Identity Manager fields. For example, ensure that the value you specify for the User Login field in Oracle Identity Manager contains no more than 20 characters. This is because the sAMAccountName attribute in the target system (corresponding to the User Login field in Oracle Identity Manager) cannot contain more than 20 characters.

On the target system, the Manager Name field accepts only DN values. Therefore, when you set or modify the Manager Name field on Oracle Identity Manager, you must enter the DN value.

For example:

cn=abc,ou=lmn,dc=corp,dc=com

If the value that you specify for the Manager Name field contains special characters, then you must prefix each special character with a backslash (\). For example, if you want to specify CN=John Doe #2,OU=sales,DC=example,DC=com as the value of the Manager Name field, then you must specify the following as the value:

CN=John Doe \#2,OU=sales,DC=example,DC=com

The following is the list of special characters that must be prefixed with a backslash (\):

Number sign (#)

Backslash (\)

Plus sign (+)

Equal sign (=)

Comma (,)

Semicolon (;)

Less than symbol (<)

Greater than symbol (>)

Quotation mark (")

While specifying a value for the Home Directory field, follow these guidelines:

The value must always begin with two backslashes (\\).

The value must contain at least one backslash (\), but not at the end.

Enter the name of the IT resource for the target system installation from which you want to reconcile records.

Sample value: Active Directory

Lookup Name

Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system.

Note: If the lookup name that you specify as the value of this attribute is not present in Oracle Identity Manager, then this lookup definition is created while the scheduled job is run.

Depending on the scheduled job you are using, the default values are as follows:

For Active Directory Group Lookup Recon:

Lookup.ActiveDirectory.Groups

For Active Directory Organization Lookup Recon:

Lookup.ActiveDirectory.OrganizationalUnits

Object Type

This attribute holds the name of the type of object you want to reconcile.

Depending on the scheduled job you are using, the default values are as follows:

For Active Directory Group Lookup Recon:

Group

For Active Directory Organization Lookup Recon:

OrganizationalUnit

3.3 Configuring Reconciliation

When you run the Connector Installer, scheduled jobs for user reconciliation are automatically created in Oracle Identity Manager. Configuring reconciliation involves providing values for the attributes of these scheduled jobs.

The following sections provide information about the attributes of the scheduled jobs:

3.3.1 Full Reconciliation and Incremental Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

To perform a full reconciliation run, ensure that no values are specified for the following attributes of the scheduled jobs for reconciling user records:

Batch Start

Filter

Latest Token

At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the highest value of the uSNChanged attribute of a domain controller that is used for reconciliation. From the next run onward, only records created or modified after the value in the latest token attribute are considered for reconciliation. This is incremental reconciliation.

3.3.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

You can perform limited reconciliation the first time you perform a reconciliation run. In other words, by using filters or by specifying a search base while configuring a scheduled job for full reconciliation, you can perform limited reconciliation. The following are the ways in which limited reconciliation can be achieved:

3.3.2.1 Limited Reconciliation By Using Filters

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use any of the Microsoft Active Directory resource attributes to filter the target system records. Table 3-2 lists the filter syntax that you can use and the corresponding description and sample values.

Records that contain all the specified strings for a given attribute are reconciled.

Example:containsAllValues('objectClass',['person','top'])

In this example, all records whose objectClass contains both "top" and "person" are reconciled.

Equality and Inequality Filters

equalTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value is equal to the value specified in the syntax are reconciled.

Example:equalTo('sAMAccountName','Sales Organization')

In this example, all records whose sAMAccountName is Sales Organization are reconciled.

greaterThan('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is greater than (in lexicographical or numerical order) the value specified in the syntax are reconciled.

Example 1:greaterThan('cn','bob')

In this example, all records whose common name is present after the common name 'bob' in the lexicographical order (or alphabetical order) are reconciled.

Example 2:greaterThan('employeeNumber','1000')

In this example, all records whose employee number is greater than 1000 are reconciled.

greaterThanOrEqualTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or number) is lexographically or numerically greater than or equal to the value specified in the syntax are reconciled.

Example 1:greaterThanOrEqualTo('sAMAccountName','S')

In this example, all records whose sAMAccountName is equal to 'S' or greater than 'S' in lexicographical order are reconciled.

Example 2:greaterThanOrEqualTo('employeeNumber','1000')

In this example, all records whose employee number is greater than or equal to 1000 are reconciled.

lessThan('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is less than (in lexicographical or numerical order) the value specified in the syntax are reconciled.

Example 1:lessThan('sn','Smith')

In this example, all records whose last name is present after the last name 'Smith' in the lexicographical order (or alphabetical order) are reconciled.

Example 2:lessThan('employeeNumber','1000')

In this example, all records whose employee number is less than 1000 are reconciled.

lessThanOrEqualTo('ATTRIBUTE_NAME','VALUE')

Records whose attribute value (string or numeric) is lexographically or numerically less than or equal to the value specified in the syntax are reconciled.

Example 1:lessThanOrEqualTo('sAMAccountName','A')

In this example, all records whose sAMAccountName is equal to 'A' or less than 'A' in lexicographical order are reconciled.

Example 2:lessThanOrEqualTo('employeeNumber','1000')

In this example, all records whose employee number is less than or equal to 1000 are reconciled.

Complex Filters

<FILTER1> & <FILTER2>

Records that satisfy conditions in both filter1 and filter2 are reconciled. In this syntax, the logical operator & (ampersand symbol) is used to combine both filters.

Example:startsWith('cn', 'John') & endsWith('sn', 'Doe')

In this example, all records whose common name starts with John and last name ends with Doe are reconciled.

<FILTER1> | <FILTER2>

Records that satisfy either the condition in filter1 or filter2 are reconciled. In this syntax, the logical operator | (vertical bar) is used to combine both filters.

Example:contains('sAMAccountName', 'Andy') | contains('sn', 'Brown')

In this example, all records that contain 'Andy' in the sAMAccount Name attribute or records that contain 'Brown' in the last name are reconciled.

not(<FILTER>)

Records that do not satisfy the given filter condition are reconciled.

Example:not(contains('cn', 'Mark'))

In this example, all records that does not contain the common name 'Mark' are reconciled.

3.3.2.2 Limited Reconciliation By Using the Search Base Attribute

You can perform limited reconciliation by using the Search Base attribute of the reconciliation scheduled jobs. By specifying a value for the Search Base attribute, you can limit the container from which the user, group, or organization records must be reconciled. This is the starting point for the search in the hierarchial structure for objects in Microsoft Active Directory. For more information about the Search Base attribute, see Section 3.3.4, "Reconciliation Scheduled Jobs."

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete. You can configure batched reconciliation to avoid such problems.

Batch Size: Use this attribute to specify the number of records that must be included in each batch.

Batch Start: Use this attribute to specify the record number from which batched reconciliation must begin.

Number of Batches: Use this attribute to specify the total number of batches that must be reconciled. The default value of this attribute is All. If you do not want to implement batched reconciliation, then accept the default value. When you accept the default value, the values of the Batch Size, Batch Start, Sort By, and Sort Direction attributes are ignored.

Sort By: Use this attribute to specify the name of the target system field by which the records in a batch must be sorted.

Sort Direction: Use this attribute to specify the whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc.

If batched reconciliation fails, then you only need to rerun the scheduled task without changing the values of the task attributes.

After completing batched reconciliation, if you want to perform incremental reconciliation, then specify the value of the highestCommittedUSN attribute (see Step 3 of Section 2.4.1, "Preupgrade Steps") as the value of the Latest Token attribute. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile data.

Sample value: Active Directory

Latest Token

This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts whose uSNChanged value is greater than the Latest Token attribute value are reconciled.

If you accept the default value (All), then all batches are reconciled.

Object Type

This attribute holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Default value: AD User

Scheduled Task Name

This attribute holds the name of the scheduled task.

Default value: Active Directory User Target Recon

Search Base

Enter the container in which the search for user records must be performed during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level."

Default value: subtree

Sort By

Enter the name of the target system field by which the records in a batch must be sorted.

Default value: sAMAccountName

Note: If you are using AD LDS as the target system, then change the default value of this attribute to some other attribute (for example, cn) because the sAMAccountName attribute does not exist on the AD LDS target system.

Sort Direction

Use this attribute to specify whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc.

Default value: asc

Active Directory User Trusted Recon

This scheduled job is used to reconcile user data in the trusted resource (identity management) mode of the connector. Table 3-4 describes the attributes of this scheduled job.

Table 3-4 Attributes of the Scheduled Job for Reconciliation of User Data from a Trusted Source

Attribute

Description

Batch Size

Enter the number of records that must be included in each batch fetched from the target system.

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

IT Resource Name

Name of the IT resource instance that the connector must use to reconcile data.

Sample value: Active Directory

Latest Token

This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only user accounts whose uSNChanged value is greater than the Latest Token attribute value are reconciled.

Maintain Hierarchy

Enter yes to specify that you want to maintain in Oracle Identity Manager the same organization hierarchy that is maintained on the target system. Otherwise, enter no.

Default value: no

Note: If you set this attribute to yes, then you must schedule the job for organization reconciliation (Active Directory Organization Recon) to run before this scheduled job.

Manager Id

Enter the decode value of the User Id Code Key in the lookup definition that holds mappings between resource object fields and target system attributes for trusted source reconciliation.

If you are using Microsoft Active Directory as the target system, then the default value of this attribute is sAMAccountName.

If you are using Microsoft AD LDS as the target system, then set the value of this attribute to __UPN_WO_DOMAIN__.

If you accept the default value (All), then all batches are reconciled.

Object Type

This attribute holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

OIM Employee Type

Enter the employee type that must be set for OIM Users created through reconciliation.

Default value: Full-Time

OIM Organization Name

Enter the name of the Oracle Identity Manager organization in which reconciled users must be created.

The OIM Organization attribute is taken into account only if you set the MaintainHierarchy attribute to no. If you set the MaintainHierarchy attribute to yes, then the value of the OIM Organization attribute is ignored.

Default value: Xellerate Users

OIM User Type

Enter the role that must be set for OIM Users created through reconciliation. You must select one of the following values:

End-User

End-User Administrator

Default value: End-User

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Default value: AD User Trusted

Scheduled Task Name

This attribute holds the name of the scheduled task.

Default value: Active Directory User Trusted Recon

Search Base

Enter the container in which the search for user records must be performed during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level."

Default value: subtree

Sort By

Enter the name of the target system field by which the records in a batch must be sorted.

Default value: sAMAccountName

Note: If you are using AD LDS as the target system, then change the default value of this attribute to some other attribute (for example, cn) because the sAmAccountName attribute does not exist on the AD LDS target system.

Sort Direction

Use this attribute to specify whether records being fetched must be sorted in ascending or descending order. The value of this attribute can be either asc or desc.

Default value: asc

3.3.4.2 Scheduled Jobs for Reconciliation of Deleted User Records

Depending on whether you want to implement trusted source or target resource delete reconciliation, you must specify values for the attributes of one of the following scheduled jobs:

This scheduled job is used to reconcile data about deleted users in the target resource (account management) mode of the connector. During a reconciliation run, for each deleted user account on the target system, the Active Directory resource is revoked for the corresponding OIM User.

Active Directory User Trusted Delete Recon

This scheduled job is used to reconcile data about deleted users in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Name of the IT resource instance that the connector must use to reconcile user data.

The default value of this attribute in the Active Directory User Target Delete Recon scheduled job is Active Directory.

The default value of this attribute in the Active Directory User Trusted Delete Recon scheduled job is none.

Note: If you have configured your target system as trusted source, then ensure that you specify the name of the IT resource in which the Configuration Lookup parameter is set to Lookup.Configuration.ActiveDirectory.Trusted.

Object Type

This attribute holds the type of object you want to reconcile.

Default value: User

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

The default value of this attribute in the Active Directory User Target Delete Recon scheduled job is AD User.

The default value of this attribute in the Active Directory User Trusted Delete Recon scheduled job is AD User Trusted.

This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Manager.

After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Manager.

This attribute stores values in the following format:

<String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running.

A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER will be replaced with the name of the domain controller from which data about deleted records is fetched.

3.3.4.3 Scheduled Jobs for Reconciliation of Groups and Organizations

Depending on your requirement, you must specify values for the attributes of one of the following scheduled jobs:

Active Directory Group Recon

This scheduled job is used to reconcile group data from the target system.

Active Directory Organization Recon

This scheduled job is used to reconcile organization data from the target system.

See Also:

The following sections for information about running group and organization reconciliation:

Note: While creating filters, ensure to use attributes specific to Groups or Organizational Units.

Incremental Recon Attribute

Enter the name of the target system attribute that holds last update-related number, non-decreasing value. For example, numeric or strings.

The value in this attribute is used during incremental reconciliation to determine the newest or most youngest record reconciled from the target system.

Default value: uSNChanged

Note: Do not change the value of this attribute.

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data.

Default value: Active Directory

Latest Token

This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Sample value: 0

Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only groups or organizational units whose uSNChanged value is greater than the Latest Token attribute value are reconciled.

Object Type

Type of object to be reconciled.

The default value of this attribute in the Active Directory Group Recon scheduled job is Group.

The default value of this attribute in the Active Directory Organization Recon scheduled job is organizationalUnit.

Organization Name

Enter the name of the organization to which all groups fetched from the target system is linked.

Note: This attribute is present only in the Active Directory Group Recon scheduled job.

Organization Type

Type of organization to be created in Oracle Identity Manager.

Default value: Company

Note: This attribute is present only in the Active Directory Group Recon scheduled job.

Resource Object Name

Name of the resource object that is used for reconciliation.

The default value of this attribute in the Active Directory Group Recon scheduled job is AD Group.

The default value of this attribute in the Active Directory Organization Recon scheduled job is Xellerate Organization.

Scheduled Task Name

Name of the scheduled task used for reconciliation.

The default value of this attribute in the Active Directory Group Recon scheduled job is Active Directory Group Recon.

The default value of this attribute in the Active Directory Organization Recon scheduled job is Active Directory Organization Recon.

Search Base

Enter the container in which the search for group or organization records must be performed during reconciliation.

Sample Value: ou=org1,dc=corp,dc=com

Note: If you do not specify a value for this attribute, then the value specified as the value of the Container parameter of the IT resource is used as the value of this attribute.

Search Scope

Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. For example, if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover the abc OU and all of its child OUs.

Enter onelevel if you want the scope of the search for records to be restricted to only the container specified by the Search Base attribute. Child containers of the specified container are not included in the search. For example if the search base is set to OU=abc,DC=corp,DC=com, then the search would cover only the abc OU.

Note: If you want to enter onelevel, then remember that you must not include a space between "one" and "level."

Default value: subtree

3.3.4.4 Scheduled Job for Reconciliation of Deleted Groups

The Active Directory Group Delete Recon is used to reconcile data about deleted groups.

Name of the IT resource instance that the connector must use to reconcile group data.

Default value: Active Directory

Object Type

This attribute holds the type of object you want to reconcile.

Default value: Group

Resource Object Name

Enter the name of the resource object against which reconciliation runs must be performed.

Default value: AD Group

Scheduled Task Name

This attribute holds the name of the scheduled task.

Default value: Active Directory Group Delete Recon

Sync Token

This attribute must be left blank when you run delete reconciliation for the first time. This ensures that data about all records that are deleted from the target system are fetched into Oracle Identity Manager.

After the first delete reconciliation run, the connector automatically enters a value for this attribute in an XML serialized format. From the next reconciliation run onward, only data about records that are deleted since the last reconciliation run ended are fetched into Oracle Identity Manager.

This attribute stores values in the following format:

<String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

A value of True in the preceding format specifies that the Global Catalog Server is used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller on which the Global Catalog Server is running.

A value of False specifies that the Global Catalog Server is not used during delete reconciliation runs. In addition, DOMAIN_CONTROLLER is replaced with the name of the domain controller from which data about deleted records is fetched.

Organization Name

Enter the name of the organization to which data about all deleted groups fetched from the target system is linked.

If you have configured the connector to perform group reconciliation in scenario 1, then you need not specify a value for this attribute. In case you specify a value, it is ignored by the connector.

If you have configured the connector to perform group reconciliation in scenario 2, then enter the same organization name specified for the Organization Name attribute of the Active Directory Group Recon scheduled job.

3.4 Configuring and Running Group Reconciliation

This section describes the two scenarios in which group reconciliation is performed and their procedure.

Scenario 1

Create an organizational unit in Oracle Identity Manager with the name of the group (available in the target system), and then reconcile groups to this newly created organizational unit. In other words, suppose a scenario in which you want every target system group to be reconciled into an organization of its own.

To perform group reconciliation in this scenario:

Ensure that the value of the Configuration Lookup parameter of the IT resource is set to Lookup.Configuration.ActiveDirectory.

Search for and open the Active Directory Group Recon scheduled job.

Set the value of the Resource Object Name attribute of the scheduled job to Xellerate Organization. Note that you need not specify a value for the Organization Name attribute. If you specify a value for the Organization Name attribute, then the value is ignored.

In the Administrative and User Console, verify whether an organizational unit with the name of the group is created , and then the organizational unit has the AD Group resource object in the 'Provisioned' state.

Scenario 2

This section discusses the procedure to perform group reconciliation when all groups available on the target system must be reconciled under the same organizational unit in Oracle Identity Manager. In other words, suppose a scenario in which you want all target system groups to be reconciled into a single organization.

To perform group reconciliation in this scenario:

Log in to the Design Console.

Expand Administration, and then double-click Lookup Definition.

Search for and open the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition.

Change the Decode value of the OIM Org Name entry from sAMAccountName to Organization Name.

Save and close the lookup definition.

Log in to the Administrative and User Console.

Search for and open the Active Directory Group Recon scheduled job, and then:

Clear the value in the Latest Token attribute.

In the Resource Object Name attribute field, specify AD Group as the value.

In the Organization Name attribute field, specify the name of an organizational unit under which all groups from the target system must be reconciled.

This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the AD User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records."

The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.7 Configuring Action Scripts

Actions are scripts that you can configure to run before or after the create, update, or delete an account provisioning operations. For example, you can configure a script to run before every user creation. Similarly, you can run custom PowerShell scripts before or after creating, updating, or deleting a mailbox.

The following is a summary of the procedure to configure action scripts:

On the computer hosting the connector server, create the custom script (for example, PowerShell) in a directory. This script should be self-sufficient, that is, it should be able to create, maintain, and delete sessions with the target AD server and complete all actions against it.

On the computer hosting Oracle Identity Manager, create a batch (.bat) file. This batch file runs on the computer hosting the connector server, which in turn calls the custom script (for example, PowerShell) available on the connector server host computer. Even if Oracle Identity Manager is installed on a UNIX-based computer, create a batch file.

Table 3-9 describes the entries to be added to the Lookup.ActiveDirectory.UM.Configuration lookup definition for running actions scripts.

Table 3-9 Lookup Entries for Running Action Scripts

Code Key

Decode

TIMING Action Language

Scripting language of the script you want to run.

For a custom shell script, enter Shell as the decode value.

TIMING Action File

Full path and name to the file containing the script to be run.

Note that the file containing the script must be located on the computer on which Oracle Identity Manager is running.

TIMING Action Target

Context in which the script must be run.

Enter Resource as the decode value.

In the preceding table, TIMING defines when an action must be performed. An action can be invoked either before or after a create, update, or delete provisioning operation. Therefore, TIMING can be replaced with any of the following values:

Before Create

Before Update

Before Delete

After Create

After Update

After Delete

All the entries in Table 3-9 define an action together. Therefore, to configure action scripts, all the entries must be defined. Otherwise, no action is performed.

As an example, the following procedure describes the steps to run a custom PowerShell script before a create operation:

Log in to the Design Console.

Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.

Add the following new values:

Code Key: TIMINGAction Language

Sample value: Before Create Action Language

Decode: Enter the scripting language of the script you want to execute

Sample value: Shell

Add these new values:

Code Key: TIMINGAction File

Sample value: Before Create Action File

Decode: Enter the full path of the batch file that invokes the script. (Oracle Identity Manager must be able to access this file.)

Sample value: /scratch/Scripts/InvokeCustomScript.bat

Add these new values:

Code Key: TIMINGAction Target

Sample value: Before Create Action Target

Decode: Resource (do not modify this value)

Save the lookup definition.

On the computer running Oracle Identity Manager, create the /scratch/Scripts/InvokeCustomScript.bat file with the following content:

Powershell.exe -File NAME_AND_FULL_LOCATION_OF_THE_CUSTOM_SCRIPT
Exit

Sample value:

Powershell.exe -File C:\myscripts\CustomScript.ps1
Exit

Log in to the computer running the connector server and create the custom script (in this example the customScript.ps1 script, located in the C:\myscripts directory) file with the following content:

This script runs before every create provisioning operation. This script creates an Organization named 'ScriptOU81'. Similarly, you can write custom scripts as per your requirement.

Note:

If you are using a PowerShell script, then before running the script by using the connector or Oracle Identity Manager, verify the following on the computer running the connector server:

You must be able to connect manually to the AD server with the values specified in the script using the PowerShell window without any issues.

From the command prompt, navigate to the directory containing the batch file. Then, run the batch file with appropriate parameters and ensure that the PowerShell script runs on AD server without any issues.

Note that you can pass process form fields to scripts that call the before or after action scripts. These process form fields must be present in the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition and be mapped to a corresponding target system attribute. For example, you can pass the First Name process form field (present in the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition) to an action script by specifying "givenName," which is the name of the corresponding attribute in the target system.

Note:

Process form fields marked as IGNORE are not sent to the connector.

The following is an example procedure for running a script before a create provisioning operation:

Create a file named script.bat (extension doesn't matter) with following line:

echo create >> C:\%givenName%.txt

Log in to the Design Console.

Expand Administration and then double-click Lookup Definition.

Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition and add the following entries:

Provision a user account. You notice that the script (created in Step 1) is run and a file with the value specified for the givenName attribute is created on the target system.

You can also configure actions by using Visual Basic scripts. Although Visual Basic scripts are not directly supported, a Visual Basic script can be called using a shell script.

The following is an example procedure for running actions using Visual Basic scripts that consumes data dynamically from the process form. This is an example procedure for an After Create action, which requires creating a user in an organizational unit in addition to the one in which the user is provisioned to.

Create a file (a script) on the computer running Oracle Identity Manager with the following data:

C:\arg.vbs %givenName%

Note that there is a space between C:\arg.vbs and %givenName%.

On the machine hosting the target system, create a file in the C:\ directory. For example, create an arg.vbs file.

Any errors encountered while running action scripts are ignored and are not propagated to Oracle Identity Manager.

During create operations, all attributes part of process form are available to the script.

During update operations, only the attribute that is being updated is available to the script.

If other attributes are also required, then a new adapter calling ICProvisioningManager# updateAttributeValues(String objectType, String[] labels) must be created and used. During adapter mapping in process task, add the form field labels of the dependent attributes.

During delete operations, only the __UID__ (GUID) attribute is available to the script.

3.7.1 Guidelines on Creating Scripts

The following are the guidelines that you must apply or be aware of while configuring action scripts:

Your script file can contain scripts that include attributes present in the decode column of any of the following lookup definitions:

Lookup.ActiveDirectory.UM.ProvAttrMap

Lookup.ActiveDirectory.GM.ProvAttrMap

Lookup.ActiveDirectory.OM.ProvAttrMap

All field names used in the scripts must be enclosed within %%.

You can call any VB script from a shell and pass the process form fields.

You cannot include the Password field in the script. This is because password is stored as a guarded string. Therefore, we do not get the exact password when we fetch values for the Password field.

Addition of child table attributes belongs to the 'Update' category and not 'Create.'

On the Step 5: Provide Process Data for Active Directory Users Form page, enter the details of the account that you want to create on the target system and then click Continue.Figure 3-5 shows the user details added.

Close the window displaying the "Provisioning has been initiated" message.

On the Resources tab, click Refresh to view the newly provisioned resource.

3.8.2 Request-Based Provisioning

A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:

Note:

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver.

On the Select Users page, specify a search criterion in the fields to search for the user that you want to provision the resource, and then click Search. A list of users that match the search criterion you specify is displayed in the Available Users list.

From the Available Users list, select the user to whom you want to provision the account..

If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account.

Click Move or Move All to include your selection in the Selected Users list, and then click Next.

On the Select Resources page, click the arrow button next to the Resource Name field to display the list of all available resources.

From the Available Resources list, select AD User, move it to the Selected Resources list, and then click Next.

On the Resource Details page, enter details of the account that must be created on the target system, and then click Next.

If you are setting values for the Terminal Services Profile fields, then you must select the Remote Manager IT resource.

On the Justification page, you can specify values for the following fields, and then click Finish.

Effective Date

Justification

A message confirming that your request has been sent successfully is displayed along with the Request ID.

If you click the request ID, then the Request Details page is displayed.

To view details of the approval, on the Request Details page, click the Request History tab.

3.8.2.2 Approver's Role in Request-Based Provisioning

The following are steps performed by the approver in a request-based provisioning operation:

The following are steps that the approver can perform:

Log in to the Administrative and User Console.

On the Welcome page, click Self-Service in the upper-right corner of the page.

On the Welcome to Identity Manager Self Service page, click the Tasks tab.

On the Approvals tab, in the first section, you can specify a search criterion for request task that is assigned to you.

From the search results table, select the row containing the request you want to approve, and then click Approve Task.

3.10 Uninstalling the Connector

The connector cannot be uninstalled if a valid access policy is present in Oracle Identity Manager. As a workaround, create a dummy resource type by using the design console. Remove the dependent access policy by directing it to a dummy resource type and then remove the dependency from the resource type that must be deleted.

Uninstalling the connector removes only those IT resource definitions (and its IT resources) that are attached with the process form. However, the IT resource of the Connector Server IT Resource Type Definition is not removed for Oracle Identity Manager.

Scripting on this page enhances content navigation, but does not change the content in any way.